[sf-lug] Full Disk Encryption options?
Erich Newell
erich.newell at gmail.com
Mon Mar 24 01:05:42 PDT 2008
Depending how paranoid you are, there are multiple approaches to this. Since
you seem to be about as paranoid as I am, I will share with you my ultimate
setup.
Use the Gutsy alternative disc for installation. With this, you can set up
encryption. Have the /boot as ext3, which is a usb thumb drive. Partition
the entire disk for encryption. Use LVM to break the partition into your
various working partitions (swap, / , /var, /home etc.)
>From there, install normally. Use the BIOS locking trick as Tom recommended
and set it to always boot off of the USB. Have a script setup such that your
/boot partition is unmounted after the rest of the system is loaded, and
have it teathered to your keychain or whatever mechanism works to keep you
from leaving it in your machine (or anywhere else for that matter).
To take it to the next level, I recommend using an OpenPGP card for the
generation and storage of your private keys rather than keeping them on your
unencrypted USB stick. (Requires a smartcard reader and pcsc or ctapi in
your kernel)
To take it to the *next next* level, get one of those cheezy "Wireless PC
Lock" toys and use it to trigger a script that locks your gnome/kde session
as soon as it loses sense of the fob.
On another note: due to a known root level exploit, I also recommend
disabling firewire altogether.
Gotchas:
1) The kernel image stored on your USB stick is now your weak link. Guard it
carefully.
2) Once the system is first setup, unmount your boot partition and mount it
as something else...copy the entire contents to the /boot directory in the /
partition...whenever you upgrade anything that affects your kernel, be sure
to copy it over to your USB stick...messing up your kernel image could make
for an unpleasant surprise.
3) Keep a Truecrypt backup of all of your data on another drive or on the
cloud somewhere...just in case.
4) I have not thought of a useful way to auto-lock or log you out of any
ttys that you may have open, so keep that in mind. (Suggestions here are
welcome/requested)
5) I'm sure this still leaves you vulnerable to the "spray the ram with
freon and put it in another laptop" attack...the only recommendation I have
for this is to strip out the heads to the access plates for your laptop RAM.
(If you simply lift the keyboard up to get at it then you're SOL.
Share and Enjoy.
- Erich
--
"A man is defined by the questions that he asks; and the way he goes about
finding the answers to those questions is the way he goes through life."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20080324/4a87ccbe/attachment.html>
More information about the sf-lug
mailing list